gh0strat | 3627b0fb792ecbfc67c827a797b1c268c9da1856d10cc35bbed24b17a17c8b89

Analysis

max time kernel
95s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe
Size

122KB
MD5

5199ea9d09658473c4d15ca45b95db22
SHA1

ea5bcb19d806eb2817c8836943e3f3cb12c24607
SHA256

3627b0fb792ecbfc67c827a797b1c268c9da1856d10cc35bbed24b17a17c8b89
SHA512

55b319cae6b10fec3b18f7924d663137232737014e85a32ce598dcb68762bbe0607b1c1a006f1fbf0f69d3e771a815a8069964b99f71ea06e6a2d5adc6fabf37
SSDEEP

3072:8Lk395hYXJ0K0i8IUSK9IxDti4+ez011uuSFssxaw0Dsp8:8QqArIUSK9Ihth01eaip8

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e72b-6.dat	family_gh0strat
behavioral2/memory/1404-10-0x0000000010000000-0x0000000010028000-memory.dmp	family_gh0strat
behavioral2/memory/2188-15-0x0000000010000000-0x0000000010028000-memory.dmp	family_gh0strat
behavioral2/memory/2224-20-0x0000000010000000-0x0000000010028000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2440	install3643734.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	install3643734.exe

Loads dropped DLL 3 IoCs

pid	Process
1404	svchost.exe
2188	svchost.exe
2224	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qvwkcyhkbw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qfuxlscpbg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qniqtvfmoc	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3284	1404	WerFault.exe	92
4292	2188	WerFault.exe	97
3316	2224	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install3643734.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2440	install3643734.exe
2440	install3643734.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2440	install3643734.exe
Token: SeBackupPrivilege	2440	install3643734.exe
Token: SeBackupPrivilege	2440	install3643734.exe
Token: SeRestorePrivilege	2440	install3643734.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeRestorePrivilege	1404	svchost.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeSecurityPrivilege	1404	svchost.exe
Token: SeSecurityPrivilege	1404	svchost.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeSecurityPrivilege	1404	svchost.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeSecurityPrivilege	1404	svchost.exe
Token: SeBackupPrivilege	1404	svchost.exe
Token: SeRestorePrivilege	1404	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeRestorePrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeSecurityPrivilege	2188	svchost.exe
Token: SeSecurityPrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeSecurityPrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeSecurityPrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2188	svchost.exe
Token: SeRestorePrivilege	2188	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 2440	4196	JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe	86
PID 4196 wrote to memory of 2440	4196	JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe	86
PID 4196 wrote to memory of 2440	4196	JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Roaming\install3643734.exe
  "C:\Users\Admin\AppData\Roaming\install3643734.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe" -sC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5199ea9d09658473c4d15ca45b95db22.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 860
  2⤵
  - Program crash
  PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1404 -ip 1404
1⤵
PID:2328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1088
  2⤵
  - Program crash
  PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2188 -ip 2188
1⤵
PID:4712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1036
  2⤵
  - Program crash
  PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2224 -ip 2224
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\install3643734.exe

Filesize
23.0MB

MD5
0c1eb1f050bc53ec36033ab70ee7edd1

SHA1
77910eaf496e030ad62fd6c36723579227614907

SHA256
b4641177b60235c091ab30d7c66b08511a0e1d7c3f88828f191def39bc14a9db

SHA512
955bd6076c9975dfbe59a12aff0ab8e6fff1d07afd19cc4fbca8d334fdaec82095db2590df936622799dda9f46d24d6c36092c8f82c6798d555e66f5a26ffa47

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
40e4d85bd92364317e10752544044b66

SHA1
a541ccf4b67e962139bce726726cb363462c8b2a

SHA256
067d521788a6b4d52224cc197db02c64b570ffd651830541a44ded6748c203ad

SHA512
adfd3189557b1bb6cc8a6d2826dca980d61300e24cae4b7f66c10046e04b85c29595296c003da0874b890a4b9afd389df8b8fb6fe50762ac7c89d4d570842030

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
69a164cb04eba6b6ec317047f8baef8b

SHA1
60ebcc47e628054dccf02c1a93583f22bd6b5458

SHA256
54878d3e56788f20915a824ef7d56201cabcab594100efa9ef25f6020a9b9417

SHA512
2cad783e877f74955649cb47c9a26f5df60b200ec047fa3bb5463491c351226cc72767cfb775c3dc962025db4029776729bfb7e0cd675daeb65417bb17390bb4

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\dbktg.pic

Filesize
20.1MB

MD5
d48af85dba92e6a36801abfa31449d95

SHA1
f40196d0c668ac934e1bebff5e31d5ea500c3ff1

SHA256
6996869e510205f543b89ba9adc33ce270b35eba99937fbe5fef44bc7c6839ce

SHA512
a30d47f59872c92fd0f50a6bb69a652a3f2e3898ac02f585e6ce355baf68a928709cd73053a3837988f10110d6935ef6fc9825ffae2e172b63070bfdac201850

Download Submit
memory/1404-8-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/1404-10-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2188-12-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2188-15-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2224-17-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/2224-20-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download